'NSA malware' released by Shadow Brokers hacker group

  • Published
NSA facility in UtahImage source, Getty Images
Image caption,
This data centre in Salt Lake City, Utah, is used by the NSA - but the agency has not commented on the Shadow Brokers' claim that the hacking tools came from the NSA

The "Shadow Brokers" hacker group has released malware allegedly created by the US National Security Agency (NSA).

The group, which earlier tried to sell the encrypted cache of hacking tools in an online auction, released a password for it via a blog on 8 April.

Some cyber-security experts have said some of the malware is real, but old.

The NSA has not commented on the hacker group or the material that was released over the weekend.

The Shadow Brokers said they had published the password as a "protest" about US President Donald Trump.

The group wanted "America to be great again", the blog added.

It criticised, among other things, "[Steve] Bannon's removal from the [National Security Council]" and the "US military strike on Syria".

A list of alleged NSA hacking targets and the malware allegedly installed at them was also included in the release, according to some cyber-security experts.

'Not Russia fans'

The Shadow Brokers say they are "not fans of Russia or Putin", but some experts have suggested the group may have links with the Russian government.

"Russia is quickly responding to the missile attacks on Syria with the release of the dump file password that was previously withheld," said Jake Williams, chief executive of cyber-security firm Rendition Infosec in a blog.

A similar opinion was shared on Twitter by Dan Gonzales, a senior scientist at the Rand Corporation think tank.

The Shadow Brokers were "probably a front for or infiltrated by #Russia #cyber groups," he said.

Neither commentator gave any evidence to support such claims. Russian officials have not commented but have strenuously denied involvement in other hacking cases associated with the US.

"If Russia had stolen the hacking tools, it would be senseless to publicise the theft, let alone put them up for sale," cyber-security expert James Bamford wrote in an article for Reuters news agency.

He suggested that the Shadow Brokers could be an NSA "insider".

Image source, AFP

In a separate case, a series of cyber-attacks on 40 targets in 16 countries have been linked to a cache of hacking tools, according to cybersecurity firm Symantec.

The cache, known as Vault7, was published online by WikiLeaks and said to contain malware used by the Central Intelligence Agency (CIA).

The agency has not confirmed whether it authored the tools.

The malware analysed by Symantec had been used to infect computers in Europe, Asia and the Middle East.

"On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally," Symantec noted.

The malware contained logs documenting changes that closely mirrored such records in Vault7 malware, the firm claimed.